DatasetUrl.disambiguateHttp handling of server not-authorized response

[rschmunk]

Versions impacted by the bug

NJ 5.8.0-SNAPSHOT

What went wrong?

I had a query today from someone trying to open a remote dataset and getting an authorization error in Panoply. This even though he could enter the same URL in his web browser and simply download the file.

The problem is the result of Panoply trying to create a DatasetUrl, and the NJ code throwing an error because the remote server returned a 403 response when DatasetUrl.checkIfDods tried asking for the URL with ".dds" appended.

It would seem to me that the code in DatasetUrl.disambiguateHttp (line 383) should trap for this, and if it occurs, move on to the next test.

Actually, it looks like several of the checkifXxxx methods in DatasetUrl throw such exceptions, so perhaps DatasetUrl.disambiguateHttp should do the same for those cases also?

Or is there some use case for these exceptions that I am not getting?

Relevant stack trace

java.io.IOException: Unauthorized to open dataset https://nomads.ncep.noaa.gov/pub/data/nccf/com/nwm/post-processed/RFC/AB/channel_rt/nwm.t2025041403z.short_range.channel_rt.abrfc.nc
	at ucar.nc2.dataset.DatasetUrl.checkIfDods(DatasetUrl.java:446)
	at ucar.nc2.dataset.DatasetUrl.disambiguateHttp(DatasetUrl.java:383)
	at ucar.nc2.dataset.DatasetUrl.findDatasetUrl(DatasetUrl.java:161)
	at gov.nasa.giss.data.nc.NcFileUtils.createDatasetUrl(NcFileUtils.java:96)

Relevant log messages

No response

If you have an example file that you can share, please attach it to this issue.

If so, may we include it in our test datasets to help ensure the bug does not return once fixed?
Note: the test datasets are publicly accessible without restriction.

Yes

Code of Conduct

• I agree to follow the UCAR/Unidata Code of Conduct

[lesserwhirls]

I did a little digging and found this issue:

Unidata/thredds#551

and this fix:

Unidata/thredds#754

which is causing the behavior your are seeing...not an answer, but perhaps a clue. I agree, though, that the behavior you see isn't what we want.

[lesserwhirls]

I was able to discuss this with @DennisHeimbigner today (thank you Dennis!). I think for the 401 case, it's pretty clear that we should throw the error as a signal that we need credentials. The 403 case is a little more tricky because it could be related to insufficient credentials, OR not related to credentials at all (which is the case here).

Mapping this out a bit with a few scenarios:

1. The request actually needs credentials and the server returns a 401: checkIfXXX throws an IOError, bubbles out to client, and is a signal that credentials are needed.

2. The request actually needs credentials, but the credentials submitted had insufficient permissions, so the server returns a 403: checkIfXXX throws an IOError, bubbles out to client, and is a signal that credentials are incorrect.

3. The request does not need needs credentials, server returns 403: checkIfXXX logs a warning and moves on to the next checkIfXXX call.

Unfortunately, the server does not have to distinguish between a general "nobody can do that" vs "I know who you and your are not allowed to do that"—one can be potentially fixed by the client, while the other cannot. I could argue that 403 isn't the right code for the server to be sending in this case (maybe a 404 would be better, depending on motivation), but alas.

My interpretation of the disambiguateHttp method is that it is trying its best to answer the question of "am I talking to a service of some sorts, or will I need to use byte-range requests to try to open a remote file to see if I have an IOSP that understands what it is?". If that's true, then outside of outside of authentication/authorization issues I think we want to do our best to make sure we treat the url as being a basic HTTP served file if all else fails (with logs to give hints). If so, what we can do is:

• For a 401, always throw the error.
• For a 403, check if the request was sent with credentials—if so, throw the error, but if not, log and continue to the next check.

Thoughts?

[lesserwhirls]

Tagging @ethanrd here as well.

[ethanrd]

Ugh! HTTP status codes are (and have always been) quite slippery. The definitions, at least in some cases, are just not very clear.

Unfortunately, the server does not have to distinguish between a general "nobody can do that" vs "I know who you and your are not allowed to do that"—one can be potentially fixed by the client, while the other cannot. I could argue that 403 isn't the right code for the server to be sending in this case (maybe a 404 would be better, depending on motivation), but alas.

I totally agree that a 403 is not the most informative response available for credentials that aren't valid for that request. I would argue that a 401 would provide the most information. Alas, indeed, it is up to the server to decide which of the several more or less informative responses to return.

Since the client can't know if a 403 indicates invalid credentials or something else (even if the original request was sent with credentials) [1], wouldn't the best response to all 403s be to log and continue to next check? Yes, if it is a credentials issue, it will fail without any indication of the reason. However, that is because of the decision of the server (to send a 403 instead of a 401) and is, I think, not something for the client to second guess.

[1] Unless the server "wishes to make public why the request has been forbidden [in which case it] can describe that reason in the response content (if any)". However, that content is not standardized so would be server dependent.

[rschmunk]

@ethanrd is correct that a 403 might come back for reasons other than the credentials. As stated in the 403 link above, "However, a request might be forbidden for reasons unrelated to the credentials."

In the case I was running into, the problem was that NJ was working its way through a chain of possibilities and when querying the remote data server appending a .dds to the filename requested. There apparently wasn't such but the server returned 403 rather than 404.

(I'd have to look at the NJ source again to see what would have happened if a 404 had come back.)

[lesserwhirls]

If the server would have returned a 404, netCDF-Java would have moved on to the next check.

What I've suggested is that we only throw an error for a 403 if we sent credentials with the request that caused the 403 to begin with, otherwise we log and move on (and always throw an error for a 401). That way clients have a signal that credentials are needed (401), or incorrect (possibly 403 when credentials were sent with the request). For this particular case, we would see the 403 return, do a check and see that we didn't send credentials in the first place (and therefore it's very likely not a credentials problem), log the event, and move on to the next check. That's very similar to @ethanrd's suggestion of logging all 403s and moving on, but it could catch a subset of 403s that are credential related.

As a side note, when things are working correctly (sad times: it's broken right now), you can bypass all of this by adding httpserver: to a request to signify you are trying to read a remote file using byte-range requests, dods: for dap2 requests, dap4 for dap4 requests, etc. (Dataset URL docs, pretty sure this information is not totally correct at the moment as well). So if the user knows the voodoo, and it's the 3rd Thursday under a blood moon, then they could have a chance at getting the request to work, but I'd rather these checks in disambiguateHttp do the right thing 90%+ of the time and simplify the process for them.

[ethanrd]

What will the user experience look like in the case where a 403 was returned for a request that was sent with credentials but the reason a 403 was returned wasn't related to credentials? Will they fall into a frustrating loop of attempts to correctly type their credentials?

I guess that is my main hesitation about assuming a 403 response where credentials were submitted means the credentials are wrong. At least for the situation where a chain of protocols is being checked.

[lesserwhirls]

Yep, that's the tradeoff - you snag the cases where creds were wrong, but you don't catch the cases where you sent creds that were good but the server returned a 403 anyways. I don't have a good feeling about which takes us closer to that 90%+ of the cases "just work". It is more simple to just always log the 403s.

[ethanrd]

Yeah, seems impossible to get even a good feel for that given the variety of servers supporting the various services.

[lesserwhirls]

Ok, let's go for only logging all 403s as a first step and see how it goes.